CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Confucius Targets Pakistan with WooperStealer and Anondoor Malware

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The threat actor Confucius has launched a new phishing campaign targeting Pakistan, deploying WooperStealer and Anondoor malware. The campaign has targeted government agencies, military organizations, defense contractors, and critical industries since at least December 2024. The attacks use spear-phishing and malicious documents to deliver malware that steals sensitive data and exfiltrates device information. Confucius has shifted from document-focused stealers to more advanced Python-based backdoors like Anondoor, which provides long-term persistence and command execution capabilities. The group employs DLL side-loading, obfuscated PowerShell scripts, scheduled tasks, and stealthy exfiltration routines to achieve persistence and evade detection. Anondoor is capable of full host profiling, collecting system details, geolocating public IPs, and inventoring disk volumes before receiving tasking from its command-and-control (C2) servers.

Timeline

  1. 02.10.2025 17:44 2 articles · 6d ago

    Confucius Launches Phishing Campaign Targeting Pakistan with WooperStealer and Anondoor

    Confucius has been actively targeting Pakistan with a new phishing campaign since December 2024. The campaign uses spear-phishing and malicious documents to deliver WooperStealer and Anondoor malware. The attacks have employed .PPSX and .LNK files to deliver the malware via DLL side-loading techniques. The malware is designed to steal sensitive data and exfiltrate device information, demonstrating the group's adaptability and persistence. The group has shifted from document-focused stealers like WooperStealer to more advanced Python-based backdoors like Anondoor, which provides long-term persistence and command execution capabilities. Anondoor is capable of full host profiling, collecting system details, geolocating public IPs, and inventoring disk volumes before receiving tasking from its command-and-control (C2) servers.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Phantom Taurus Targets Government and Telecommunications Organizations

Government and telecommunications organizations in Africa, the Middle East, and Asia have been targeted by a China-aligned nation-state actor known as Phantom Taurus over the past two-and-a-half years. The group focuses on espionage, targeting ministries of foreign affairs, embassies, geopolitical events, and military operations. Phantom Taurus employs custom-developed tools and techniques, including a bespoke malware suite named NET-STAR, to maintain long-term intelligence collection and obtain confidential data from targets of strategic interest to China. The group's activities coincide with major global events and regional security affairs, demonstrating stealth, persistence, and adaptability in their tactics, techniques, and procedures (TTPs). Phantom Taurus has been observed using a .NET malware suite named NET-STAR to breach IIS web servers, which operates almost entirely in memory and includes a fileless backdoor that establishes encrypted command-and-control (C2) sessions. The suite includes a backdoor named IIServerCore that accepts commands and encoded .NET payloads, enabling arbitrary code execution on compromised systems. The suite also includes two AssemblyExecuter loaders (v1 and v2) that allow dynamic loading of additional .NET malware, with v2 featuring advanced evasion techniques such as AMSI and ETW bypass. The group uses custom SQL queries to search for specific tables and keywords on compromised systems, exporting all matching results. Additionally, Phantom Taurus's operational methods are supported by other custom malware, including TunnelSpecter and SweetSpecter, which are used for email exfiltration.

Open in new tab

UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks

UNC6384, a China-nexus threat actor, has been targeting diplomats in Southeast Asia and other entities globally to advance Beijing's strategic interests. The group employs a multi-stage attack chain leveraging advanced social engineering, valid code signing certificates, adversary-in-the-middle (AitM) attacks, and indirect execution techniques to evade detection. The campaign, detected in March 2025, uses captive portal redirections to deliver a PlugX variant called SOGU.SEC. The attacks involve redirecting web traffic through a captive portal to a threat actor-controlled website, downloading a digitally signed downloader (STATICPLUGIN), and deploying the SOGU.SEC backdoor in memory. The malware supports commands to exfiltrate files, log keystrokes, and launch remote command shells. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. The campaign targeted around two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The attack chain involved compromised edge devices intercepting captive portal checks and redirecting users to a malicious website. The malicious website used a valid TLS/SSL certificate issued by Let's Encrypt to avoid browser security warnings. The first-stage malware, STATICPLUGIN, dropped a launcher called CANONSTAGER, which used unconventional techniques to hide its activities. The final payload was a variant of the PlugX backdoor, tracked by Google as SOGU.SEC. In September 2025, new information revealed that the PlugX variant overlaps with RainyDay and Turian backdoors, targeting telecommunications and manufacturing sectors in Central and South Asia. The campaign is linked to Mustang Panda, which also uses Bookworm malware. Bookworm has been used since 2015 and includes capabilities to execute commands, upload/download files, exfiltrate data, and establish persistent access.

Open in new tab

Transparent Tribe Targets Indian Government with Dual-Platform Malware Campaign

APT36, also known as Transparent Tribe, is targeting both Windows and BOSS Linux systems in ongoing attacks against Indian government and defense entities. The campaign, active since August 1, 2025, involves phishing emails delivering malicious .desktop files disguised as PDFs. The malware facilitates data exfiltration, persistent espionage access, and includes anti-debugging and anti-sandbox checks. The malware also targets the Kavach 2FA solution used by Indian government agencies. The attack leverages the .desktop file's 'Exec=' field to execute a sequence of shell commands that download and run a Go-based ELF payload. The payload establishes persistence through cron jobs and systemd services, and communicates with a C2 server via a WebSocket channel. The technique allows APT36 to evade detection by abusing a legitimate Linux feature that is not typically monitored for threats. The campaign demonstrates APT36's evolving tactics, becoming more evasive and sophisticated.

Open in new tab

XenoRAT malware campaign targets embassies in South Korea

A state-sponsored espionage campaign, attributed to North Korean threat actors, has been targeting foreign embassies and defense-related institutions in South Korea since March 2025 to deploy XenoRAT malware. The campaign, which has launched at least 19 spearphishing attacks, uses highly contextual and multilingual lures to deliver malicious payloads via GitHub and cloud storage services. The latest attack involved deepfakes of South Korean military identification documents, targeting journalists, researchers, and human-rights activists with themes related to sensitive topics. The campaign's infrastructure and techniques match those of North Korean actor Kimsuky (APT43), but some indicators suggest possible Chinese involvement. The malware, XenoRAT, is a powerful trojan capable of logging keystrokes, capturing screenshots, accessing webcams and microphones, performing file transfers, and facilitating remote shell operations. It is loaded directly into memory and obfuscated to maintain a stealthy presence on infected systems.

Open in new tab

EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware

The Russian threat actor EncryptHub is exploiting the MSC EvilTwin vulnerability (CVE-2025-26633) to deliver the Fickle Stealer malware. This campaign combines social engineering with technical exploitation to bypass security defenses. The group uses fake IT department requests and rogue Microsoft Console (MSC) files to trigger the infection routine. The malware collects system information, establishes persistence, and communicates with the EncryptHub command-and-control (C2) server. The threat actor has been active since mid-2024 and is known for using various methods, including fake job offers and compromised Steam games, to infect targets. The latest attack sequence involves using PowerShell commands and a Go-based loader called SilentCrystal to deploy the malware. The group also abuses the Brave Support platform to host next-stage malware and uses phony videoconferencing platforms to deceive victims into downloading malicious installers.

Open in new tab